An outsourcing arrangement is a contract between the institution
and an audit services firm to provide internal audit services.
Outsourcing arrangements take many forms and are used by
institutions of all sizes. The services under contract can be as
limited as assisting internal audit staff with an assignment in
which they lack expertise. This type of arrangement would typically
fall under the control of the institution's internal audit manager,
to whom the audit provider would typically report.

Other outsourcing arrangements may call for an audit provider to
perform all or several parts of the internal audit work. Under
these types of arrangements, the institution should maintain an
internal audit manager and, as appropriate, internal audit staff
sufficient to oversee vendor activities. The audit provider usually
assists the internal audit function in determining the
institution's areas of risk and the levels of risk to be reviewed,
and recommends and performs audit procedures approved by the
institution's internal audit manager. In addition, the outsourced
audit provider should work jointly with the internal audit manager
in reporting significant findings to the board or its audit
committee.

Before entering into an outsourcing arrangement, the institution
should perform due diligence to ensure that the audit provider has
a sufficient number of qualified staff members to perform the
contracted work. Because the outsourcing arrangement is a
professional or personnel services contract, the institution's
internal audit manager should have confidence in the competence of
the staff assigned by the audit provider and receive timely notice
from the vendor of any key staffing changes. Throughout the
outsourcing arrangement, management should ensure that the audit
provider maintains sufficient expertise to perform effectively and
fulfill its contractual obligations.

When an institution enters into an outsourcing arrangement, or
significantly changes the mix of internal and external resources
used by internal audit, operational risk may increase. Because the
arrangement could be terminated suddenly, the institution should
have a contingency plan to mitigate any significant gap in audit
coverage, particularly for high-risk areas. In its planning, an
institution should consider possible alternatives and determine
what it will do if an auditor with specialized knowledge or skills
is unable to complete reviews of high risk areas, or if an
outsourcing arrangement is terminated. For example, management
could maintain information about the services offered and areas of
expertise, as well as contact names and phone numbers, of other
firms in their geographic area that could provide internal audit
assistance in specific areas or a broader range of outsourcing
services.

When negotiating the outsourcing arrangement with a vendor, an
institution should carefully consider its current and anticipated
business risks in setting each party's internal audit
responsibilities. To clearly define the institution's duties and
those of the outsourcing vendor, the institution should have a
written contract, often referred to as an engagement letter.In
general, the contract between the institution and the audit
provider may or may not be the same as the engagement
letter. The contract should:

Define the expectations and responsibilities for both
parties;

Set the scope, frequency, and cost of work to be performed by
the vendor;

Set responsibilities for providing and receiving information,
such as the manner and frequency of reporting to senior management
and the board about the status of contract work;

Establish the protocol for changing the terms of the service
contract, especially for expansion of audit work if significant
issues are found, and stipulations for default and termination of
the contract;

State that any information pertaining to the institution must
be kept confidential;

Specify the locations of internal audit reports and the related
work papers;

Specify the period of time that vendors must maintain the work
papers;If work papers are in electronic format, contracts often
call for the vendor to maintain the software that allows the
institution and examiners access to electronic work papers during a
specified period of time.

State that outsourced internal audit services provided by the
vendor are subject to regulatory review and that examiners will be
granted full and timely access to the internal audit reports and
related work papers prepared by the outsourcing vendor;FDICIA
Section 112 (12 USC Section 1831m(g)(3)) provides that all auditors
are required to make their work papers available to bank examiners.
12 CFR 715.9(c) requires credit unions to obtain a signed audit
engagement letter that includes a certification of unconditional
access to the complete set of original working papers by credit
union examiners.

State that internal audit reports are the property of the
institution, that the institution will be provided with any copies
of the related work papers it deems necessary, and that employees
authorized by the institution will have reasonable and timely
access to the work papers prepared by the audit provider;

Prescribe a process (arbitration, mediation, or other means)
for resolving problems and for determining who bears the cost of
consequential damages arising from errors, omissions, and
negligence; and

State that audit providers will not perform management
functions, make management decisions, or act or appear to act in a
capacity equivalent to that of an employee or a member of
management of the institution, and will comply with professional
and regulatory independence guidance.

Directors and senior management should ensure that the
outsourced internal audit function is competently managed. For
example, larger institutions should employ sufficient competent
staff members in the internal audit department to assist the
internal audit manager in overseeing the outsourcing vendor.
Smaller institutions that do not employ a full-time audit manager
should appoint a competent institution employee to oversee the
outsourcing vendor's performance under the contract. This person
should report directly to the audit committee for purposes of
communicating audit issues and ideally should have no managerial
responsibility for the area being audited.

Communication among the internal audit function, the audit
committee, and senior management should not diminish because the
institution engages an outsourcing vendor. The institution's audit
manager should be involved with the audit provider in defining the
audit universe and setting a risk-based IT audit schedule. The
audit provider should appropriately document all work and promptly
report all control weaknesses found during the audit to the
institution's internal audit manager.

The outsourcing vendor should work with the internal audit
manager to mutually determine what audit findings are significant
and should be emphasized when reported to the board and its audit
committee. The concept of materiality as the term is used in
financial statement audits is not necessarily a good indicator of
which control weaknesses to report. For example, reportable
weaknesses could affect the institution's reputation or compliance
with laws and regulations without a direct impact on the financial
statements.